Detect convertions of floats into unsigned integers without a sign check

[ainar-g]

See dominikh/go-tools#101 and dominikh/go-tools#943. I'm not sure if semgrep or ruleguard are able to trace that a value has been checked, but perhaps outlawing all such conversions “just in case” could also be reasonable?

(More of a “maybe” issue, feel free to close if it doesn't seem viable.)

[dgryski]

Neither semgrep nor ruleguard have the data flow smarts to handle this. At best we could maybe flag some suspicious patterns, but it's not clear what those would look like without vast quantities of false positives.

[ainar-g]

I see, thanks. If we consider the “simple stupid” solution, where semgrep just marks all such conversions as suspicious, to be too noisy, then I think this issue can be closed.